Consider the following scenario: A payroll administrator at an undisclosed company receives an e-mail from the chief executive officer with an urgent request.
The content of that e-mail reads, “I’m putting together budgets for next year for an upcoming board meeting, for which I need employee payroll information. I’m out of town. I can’t get into the network, and I need this information urgently. Can you please send this information to my personal e-mail account?” Without hesitation, the payroll administrator sends the requested payroll data, along with its inherent sensitive information—employee salaries, Social Security Numbers, and more.
The following day, the payroll administrator calls the CEO to see if he needs anything else, to which he replies, “What are you talking about?”
An investigation ensues, and damage control now begins for the thousands of employees whose personally identifiable information has been compromised.
Real-life “executive impersonation” schemes like the one described above—and, yes, that one is based on an actual event—are a growing and evolving threat, targeting companies of all sizes and across all industries. “The frequency and volume of occurrences is certainly increasing,” says Annette Stalker, founder of Stalker Forensics and chair of the forensic and litigation services committee for the American Institute of CPAs (AICPA).
The Federal Bureau of Investigation categorizes executive impersonation scams as a type of Business E-mail Compromise (BEC) scam. According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams continue to grow, evolve, and target companies of all sizes, particularly companies that work with foreign suppliers or that regularly perform wire transfer payments.
In total, BEC scams have affected 22,143 domestic and international victims, including complaints filed with international law enforcement agencies and financial institutions, resulting in a combined $3 billion in losses, according to the IC3.
Since January 2015 alone, identified exposed losses—actual and attempted losses in U.S. dollars—from BEC scams have increased 1,300 percent and have been reported by victims in all 50 states and in 100 countries, the IC3 said. Reports indicate that fraudulent transfers have been sent to 79 countries, with the majority going to Asian banks located within China and Hong Kong.
Unlike a phishing attack, in which a targeted employee is tricked into opening an infected e-mail attachment or browsing a malicious website disguised as a trusted destination, executive impersonation schemes are even more sophisticated. Malicious actors of an executive impersonation scheme tend to perform a significant level of research and due diligence on the company through social media and company websites.
“The frequency and volume of occurrences is certainly increasing.”
Annette Stalker, Founder, Stalker Forensics
According to recent guidance issued by the AICPA, these bad actors often are familiar with “the corporate culture; the executive’s personality, phrasing, and use of language; the target employee’s position and responsibilities; and information about other employees in the corporate accounting or treasury group.”
They then use this knowledge to carefully craft an e-mail pretending to be a senior executive of the company. “These are very sophisticated, tailored e-mails that are seemingly real,” Stalker says. “Highly educated people who are mindful of their business roles have fallen prey to this.”
Numerous red flags typically characterize executive impersonation schemes. “People need just be aware of what those are through communication and education to really help them understand what to look for in those instances,” says Steve Conrad, founder and managing director of MediaPro, a firm that specializes in security and privacy awareness and compliance training.
According to recent guidance published by the AICPA, executive impersonation schemes typically share the following key characteristics:
The e-mail request comes from a senior executive or a key vendor or supplier;
Requests portend to occur when the executive is “out of the office” and can’t be contacted;
An element of urgency or secrecy accompanies the request;
The requested amount is within the normal range of transactions so as not to arouse suspicion;
The displayed e-mail address is nearly identical to the executive’s real e-mail, with subtle differences, sometimes by just one letter. For example, if the actual address is CEO@victimco.com, the impersonator address might be CEO@vicitmco.com.
Typically, malicious actors will request the immediate transfer of large sums of money, often to an overseas bank. As described in the real-life scenario above, however, such schemes can also take the form of a data breach, requesting no money at all.
Employees in the finance department or human resources are especially susceptible, because they have the access and authority to transfer large sums of money or sensitive business information, Conrad says.
Employee awareness, training, and repetition are the most important steps companies can take to prevent executive impersonation fraud, cyber-security experts agree. “The key thing with this kind of fraud is that it is exploiting people and process vulnerabilities, rather than technology,” says Richard Horne, a cyber-security partner for PwC U.K.
EXECUTIVE IMPERSONATION SCHEME
Below is an image of an e-mail showing what an executive impersonation scheme might look like.
“Risks change all the time,” Conrad says. Executive impersonation schemes, for example, weren’t on the radar two years ago. “How many training programs have something like this? They don’t.”
“As these new risks come up, you need to get these training nuggets out to the right people as soon as you can,” Conrad says. “People need to look at the ongoing education as a process not an event.”
The AICPA’s guidance recommends the following measures:
Increase the frequency of training for employees responsible for wire transfers;
Engage cyber-risk security consultants to identify, monitor, and mediate spear-phishing threats, including identifying employee-targeted attacks on social networks, finding and taking down fraudulent and impersonator accounts, and continuously monitoring important employee and company accounts for signs of being compromised;
Review policies and procedures for requesting, initiating, and approving wire transfers. E-mail requests should be verified by phone calls to company-registered phones. Require two employees to approve wire requests and authenticate the recipient’s identity before releasing the wire transfer.
Conduct a risk assessment of the wire transfer process to identify weaknesses that could be exploited. Identify “look-alike” domains and register them in the name of the company to prevent hackers from attempting BEC attacks.
All employees need to understand that e-mails can be spoofed and to never take significant actions—such as making large payments—on the basis of an e-mail alone, Horne says. A cultural norm is also needed, and that means always verifying the legitimacy of an e-mail’s instructions, he says.
“Many companies have limited the number of personnel authorized to execute wire transfers and instituted a requirement for a verbal confirmation from a known phone number before any wire transfer may be executed,” the AICPA guide states. “The client should have a secondary verification process in place, such as following up via phone call using a verbal authorization code, before any action is taken.”
The moment an executive impersonation scheme is suspected, “early mobilization and assessment of the impact are crucial,” Stalker says. Companies should be ready to quickly assemble a response team, including compliance, in-house counsel, IT, and outside consultants.
“It is critical that they undertake an internal investigation to gather all the relevant facts for management and the board of directors to support their decision making,” Stalker says. “It also will provide a foundation for responding to law enforcement and government investigators and for purposes of insurance recovery.”
Once an employee falls victim to an executive impersonation scheme, by that point it’s too late. “You’re in total damage control,” Conrad says. “So the sooner you can do something, the better off you’re going to be.”